惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
T
Threatpost
阮一峰的网络日志
阮一峰的网络日志
美团技术团队
F
Fortinet All Blogs
The GitHub Blog
The GitHub Blog
月光博客
月光博客
V
Visual Studio Blog
T
Tailwind CSS Blog
Stack Overflow Blog
Stack Overflow Blog
博客园 - 聂微东
Jina AI
Jina AI
J
Java Code Geeks
Martin Fowler
Martin Fowler
大猫的无限游戏
大猫的无限游戏
Recorded Future
Recorded Future
C
Check Point Blog
腾讯CDC
N
Netflix TechBlog - Medium
aimingoo的专栏
aimingoo的专栏
罗磊的独立博客
Hacker News: Ask HN
Hacker News: Ask HN
SecWiki News
SecWiki News
博客园 - Franky
Hacker News - Newest:
Hacker News - Newest: "LLM"
N
News | PayPal Newsroom
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Security @ Cisco Blogs
W
WeLiveSecurity
The Last Watchdog
The Last Watchdog
Cloudbric
Cloudbric
F
Full Disclosure
The Cloudflare Blog
Y
Y Combinator Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Google DeepMind News
Google DeepMind News
MongoDB | Blog
MongoDB | Blog
S
Schneier on Security
Schneier on Security
Schneier on Security
Spread Privacy
Spread Privacy
L
LINUX DO - 热门话题
AI
AI
N
News and Events Feed by Topic
T
Tor Project blog
P
Palo Alto Networks Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
H
Hackread – Cybersecurity News, Data Breaches, AI and More
G
Google Developers Blog

博客园 - ada

禁止迅雷极速版被强制性升级成迅雷X的方法 解决win系统无法安装.NET Framework 4.0 4.6 原因是HRESULT0xc8000222 Frp内网穿透利器一键安装脚本及设置教程 Centos7下修改固定IP Filezilla server配置FTP服务器中的各种问题与解决方法 WIN10家庭版的升级到企业版 Sql 记录死锁 N2N windows下编译安装文件 WinForm程序执行JS代码的多种方法以及使用WebBrowser与JS交互 利用WMITool解决Windows10 浏览器主页被hao123劫持问题 通过sqlserver日志恢复误删除的数据 win7启动时怎么自动进入桌面 解决win10系统无法安装.NET Framework 3.5 SSH反向连接及Autossh win7访问局域网总提示用户名密码错误解决方案 如果你的Windows无法连接L2TP协议的VPN,809错误 - ada 用五分钟重温委托,匿名方法,Lambda,泛型委托,表达式树 PowerDesigner 缺省值 引号 问题 利用iptables防止ssh暴力破解和控制网速
Asterisk 11 chan_sip.c: Failed to authenticate device 看不到IP的问题
ada · 2017-07-04 · via 博客园 - ada

Asterisk 11 chan_sip.c: Failed to authenticate device 看不到IP的问题   没有验证过

原文地址 http://www.coochey.net/?p=61

Asterisk 11 (FreePBX distribution) fail2ban configuration using the security log.

I’ve been experimenting with Asterisk again, using the FreePBX distro (2.11.0.4).

I have noticed that I get a lot of entries in the Asterisk log that look like this:

[2013-07-06 05:11:06] NOTICE[4106][C-0000001f] chan_sip.c: Failed to authenticate device 555<sip:555@aaa.bb.ccc.dd>;tag=e9a98a30
[2013-07-06 05:11:08] NOTICE[4106][C-00000020] chan_sip.c: Failed to authenticate device 555<sip:555@aaa.bb.ccc.dd>;tag=eebd8857
[2013-07-06 05:11:12] NOTICE[4106][C-00000021] chan_sip.c: Failed to authenticate device 555<sip:555@aaa.bb.ccc.dd>;tag=243f3815
[2013-07-06 07:19:42] NOTICE[4106][C-00000022] chan_sip.c: Failed to authenticate device 5555<sip:5555@aaa.bb.ccc.dd>;tag=a049427e
[2013-07-06 07:19:45] NOTICE[4106][C-00000023] chan_sip.c: Failed to authenticate device 5555<sip:5555@7aaa.bb.ccc.dd>;tag=c3c7f81b
[2013-07-06 07:19:48] NOTICE[4106][C-00000024] chan_sip.c: Failed to authenticate device 5555<sip:5555@aaa.bb.ccc.dd>;tag=6be78a0b
[2013-07-06 07:19:49] NOTICE[4106][C-00000025] chan_sip.c: Failed to authenticate device 5555<sip:5555@aaa.bb.ccc.dd>;tag=1979ada5

Where, of course, aaa.bb.ccc.dd is the address of my SIP server. Unfortunately, while FreePBX contains a fail2ban module, asterisk doesn’t provide enough information in the log file to act upon these messages.

The way I have got around this involves making some custom modifications to the Asterisk configuration.

Firstly, we need to enable Asterisk (v11) security logging feature:

Edit, /etc/asterisk/logger_logfiles_custom.conf and add the following:

fail2ban2       => security,notice,warning,error

This will create an additional log file, called /var/log/asterisk/fail2ban2

Now we need to edit the fail2ban configuration in /etc/fail2ban to process the security logged items. FreePBX configuration is in jail.local, so we will add ours to jail.conf:

[asterisk11-iptables]
 enabled  = true
 filter   = asterisk11
 action   = iptables-allports[name=SIP, protocol=all]
 sendmail-whois[name=SIP, dest=alerts@example.com, sender=pbx@example.com]
 logpath  = /var/log/asterisk/fail2ban2

Finally, we create a simple regex to get the IP address that we want to ban, and put it in the /etc/fail2/ban/filter.d/asterisk11.conf

# Fail2Ban configuration file 
# 
# 
# $Revision: 250 $ 
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from 
# common.local 
#before = common.conf
[Definition]
#_daemon = asterisk
# Option:  failregex 
# Notes.:  regex to match the password failures messages in the logfile. The 
#          host must be matched by a group named "host". The tag "<HOST>" can 
#          be used for standard IP/hostname matching and is only an alias for 
#          (?:::f{4,6}:)?(?P<host>\S+) 
# Values:  TEXT 
# 
failregex = SECURITY.* SecurityEvent=\"InvalidPassword\".*RemoteAddress=\"IPV4/UDP/<HOST>/
#VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' \(language '.*'\)
# Option:  ignoreregex 
# Notes.:  regex to ignore. If this regex matches, the line is ignored. 
# Values:  TEXT 
# ignoreregex =

That’s it, we now intercept messages like this one from the security log, and manage to ban these device attempts:

[2013-07-06 07:19:42] SECURITY[4078] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1373091582935268",Severity="Error",Service="SIP",EventVersion="2",AccountID="00972597103443",SessionID="0x7fa42c001ac8",LocalAddress="IPV4/UDP/aaa.bb.ccc.dd/5060",RemoteAddress="IPV4/UDP/37.8.1.89/5071",Challenge="61074795",ReceivedChallenge="61074795",ReceivedHash="b469462e8e7de800b54eb50ffe46de86"

CATEGORIESRAMBINGSTAGSASTERISK, FAIL2BAN, FREEPBX, LINUX, LOG, PBX, SECURITY